Conversation
When an admin added or invited someone who was already an ACTIVE member of
the org, their role was never updated — the role write was gated behind the
`deactivated` branch in three places. So promoting an existing employee
(portal-only, no `app:read`) to admin silently failed: accepting the invite
marked it accepted but left the role as `employee`, and the user landed on
`/no-access` ("Access Denied").
Fix: when the invitee is an existing active member, union the invited roles
into their current roles (sorted, de-duped) so the new roles take effect and
no existing role is ever stripped.
- accept-invitation.ts: active members now merge invited roles (deactivated
members keep the existing reactivate-and-replace behavior).
- people-invite.service.ts: `inviteWithCheck` and `addEmployeeWithoutInvite`
upgrade an active member's role in place. For an already-active member there
is nothing to "invite", so the redundant invitation + email are dropped and
the role is updated directly (removes `sendInvitationEmailToExistingMember`).
- Shared role helpers (`normalizeRoleString`, `mergeRoleStrings`) added to
apps/app `lib/permissions.ts`; equivalent private helpers in the API service.
Tests: API service specs for active-member promote / no-op / employee-path
union; app unit tests for the role-merge helpers.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01DsGo9DPoaKf7npxMhY2tkz
…-active-member fix(people): upgrade an existing active member's role on invite/accept
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
Contributor
|
🎉 This PR is included in version 3.92.4 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Fixes role upgrades for existing active members by merging invited roles into their current roles on invite/accept, so promotions take effect and users no longer hit "Access Denied". Removes redundant invites/emails for already-active members and adds shared role helpers with tests.
PeopleInviteServicenow unions invited roles into existing roles for active members; skips invitation/email; removes the existing-member invite path.accept-invitationmerges invited roles for active members; deactivated members are reactivated with invited roles.normalizeRoleStringandmergeRoleStrings(with tests) to sort/de-dupe role strings.Written for commit 86e4354. Summary will update on new commits.